I want to set permissions so that an executable file cannot be deleted or renamed but can be executed.
When I deny it to be deleted, also it can't be executed. Why?
Is there a way to make it undeletable but executable? (I am using advanced permissions to set it to allow execute and read the file).
Try icacls with the below syntax against the file you want to lock down and with the username (or security group name) for which it'll apply. There are comment notes in the script above each command appended with ::: explaining what each does specifically to ACL the permissions.
You should reset the ACL permissions back to the way they were originally set initially before you made whatever changes you made before running this. Once you complete that, verify that the account can execute the file, and then afterwards run the below script.
Essentially this disables ACL inheritance to the folder the executable file resides and the file itself. It then grants an explicit read and execute to both the folder and the executable file. To prevent the renaming of the file, it denies create files / write data to the folder the executable file resides. Lastly, it explicitly denies delete access to both the folder and the executable file as well.
@ECHO ON
SETLOCAL ENABLEDELAYEDEXPANSION
SET "Exe=C:\Folder\Path\file.exe"
SET "uAccount=Username"
FOR %%a in ("%Exe%") DO SET "eFolder=%%~DPa"
::: This strips the last "\" from the folder the exe resides so icacls can process
SET "eFolder=!eFolder:~0,-1!"
::: Disables ACL inheritence on the folder the exe file resides but copies all ACLs as inherited before removing
ICACLS "!eFolder!" /inheritance:d /grant:r "%uAccount%:(OI)(IO)" /C
::: Remove all granted permission ACLs on only the folder the exe file resides
ICACLS "!eFolder!" /remove:g "%uAccount%" /C
::: Remove all denied permission ACLs on only the folder the exe file resides
ICACLS "!eFolder!" /remove:g "%uAccount%" /C
::: Grants explicit read and execute ACL access on only the folder the exe file resides
ICACLS "!eFolder!" /grant:r "%uAccount%:(RX)" /C
::: Denies delete ACL access on only the folder the exe file resides
ICACLS "!eFolder!" /deny "%uAccount%":(DE)
::: Denies create files / write data ACL access on only the folder the exe file resides
ICACLS "!eFolder!" /deny "%uAccount%":(WD)
::: Disables ACL inheritence on the exe file only but copies all ACLs as inherited before removing
ICACLS "%Exe%" /inheritance:d /grant:r "%uAccount%:(OI)(IO)" /C
::: Remove all granted permission ACLs on only the exe file
ICACLS "%Exe%" /remove:g "%uAccount%" /C
::: Remove all denied permission ACLs on only the exe file
ICACLS "%Exe%" /remove:g "%uAccount%" /C
::: Grants explicit read and execute ACL access only to the exe file
ICACLS "%Exe%" /grant:r "%uAccount%:(RX)" /C
::: Grants an explicit deny of delete ACL access only to the exe file
ICACLS "%Exe%" /deny "%uAccount%":(DE)
PAUSE
EXIT
Note: Change the value of the
Exe=variable to be the full explicit path to the executable file you wish to lock down, and the value of theuAccount=variable to be the username (or security group names) of the account (or group) which you wish this to be performed.
Folder the exe resides
The exe file itself
